| Summary: | <dev-lang/lua-{5.1.5-r4,5.2.3}: overflow flaw in vararg functions | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | lori, mabi, rafaelmartins, sam, williamh |
| Priority: | Normal | Flags: | nattka:
sanity-check-
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1132304 | ||
| Whiteboard: | B2 [glsa cve ebuild?] | ||
| Package list: |
=dev-lang/lua-5.1.5-r4
|
Runtime testing required: | --- |
Original request if ready for stabilization on 8/22. 5.23 is in tree but masked. Please advise what is the status for stabilization, even if the status is not ready, and the reasons (or bugs) that are blocking this. Ping on question on stabilization, please advise. Otherwise will call for stabilization on around October 11, 2014. http://www.lua.org/bugs.html#5.2.2-1: reported by 云风 on 17 Apr 2013. existed since 5.1. fixed in 5.2.3. CC'ing new maintainer. @ Maintainer(s): The call for stabilization timed out 2y ago... due to changed maintainer, please advise us how to proceed. >=dev-lang/lua-5.2.3 has to go stable and previous versions needs to get cleaned up. Note: I ping'ed William via IRC. He needs to talk to Rafael first. If we don't get an update from maintainers until 2016-12-30 security will consider next steps. Should be fixed in -r4 OK, maintainer decided to patch existing 5.1.5 version (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=856bde253c4184b33adc1f0267e80464d564763b), thanks! @ Arches, please test and mark stable: =dev-lang/lua/lua-5.1.5-r4 amd64 stable x86 stable arm stable Stable on alpha. sparc stable Stable for HPPA. ppc stable ia64 stable ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. GLSA request filed. Another LWN article... "Gentoo patches ancient bug." This issue was resolved and addressed in GLSA 201701-53 at https://security.gentoo.org/glsa/201701-53 by GLSA coordinator Aaron Bauman (b-man). @maintainer(s), please cleanup. (In reply to Aaron Bauman from comment #17) > This issue was resolved and addressed in > GLSA 201701-53 at https://security.gentoo.org/glsa/201701-53 > by GLSA coordinator Aaron Bauman (b-man). > > @maintainer(s), please cleanup. cleaned up. thanks I can see that there's no stable dev-lang/lua for amd64 and x84 arches in the tree, what's wrong? (In reply to Gleb from comment #19) > I can see that there's no stable dev-lang/lua for amd64 and x84 arches in > the tree, what's wrong? yes, for some reason those keywords disappeared from -r4 before I cleaned up the old ebuilds, and repoman failed to warn me. mgorny fixed it while I was away. thanks *** Bug 606902 has been marked as a duplicate of this bug. *** The patch for this CVE was deleted together with 5.1.5-r4 in commit 94dbb827593747a05def4ea999d8d153e166795e. Moreover, it was never applied to more recent revisions. In my opinion, it should be re-activated for 5.1.5-r106 and kept for future revisions. Unable to check for sanity:
> no match for package: =dev-lang/lua-5.1.5-r4
|
From ${URL} : An overflow flaw was fixed in Lua 5.2.2: http://www.lua.org/bugs.html#5.2.2-1 This could cause the application to crash or, potentially, execute arbitrary code. One way an attacker could trigger this issue is if they can control parameters to a loadstring call (an eval in Lua, http://en.wikipedia.org/wiki/Eval#Lua). Although Fedora 20 has 5.2.2, the issue is not resolved there. @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.